JDK 8u431 Release Notes
Java SE 8u431 Bundled Patch Release (BPR) - Bug Fixes and Updates
The following sections summarize changes made in all Java SE 8u431 BPR. Bug fixes and any other changes are listed below in date order, most current BPR first. Note that bug fixes in the previous BPR are also included in the current BPR.
Changes in Java SE 8u431 b31
Bug Fixes
Release date: October 15, 2024| BugId | Category | Subcategory | Summary |
|---|---|---|---|
| JDK-8215757 | hotspot | compiler | C2: PhaseIdealLoop::create_new_if_for_predicate() computes wrong IDOM |
| JDK-8219448 | hotspot | compiler | split-if update_uses accesses stale idom data |
Java™ SE Development Kit 8, Update 431 (JDK 8u431)
Release date: October 15, 2024
The full version string for this update release is 1.8.0_431-b10 (where "b" means "build"). The version number is 8u431.
IANA TZ Data 2024a
For more information, refer to Timezone Data Versions in the JRE Software.
Security Baselines
The security baselines for the Java Runtime at the time of the release of JDK 8u431 are specified in the following table:
| Java Family Version | Security Baseline (Full Version String) |
|---|---|
| 8 | 1.8.0_431-b10 |
Keeping the JDK up to Date
Oracle recommends that the JDK is updated with each Critical Patch Update. In order to determine if a release is the latest, the Security Baseline page can be used to determine which is the latest version for each release family.
Critical patch updates, which contain security vulnerability fixes, are announced one year in advance on Critical Patch Updates, Security Alerts and Bulletins. It is not recommended that this JDK (version 8u431) be used after the next critical patch update scheduled for January 21, 2025.
Java Management Service, available to all users, can help you find vulnerable Java versions in your systems. Java SE Subscribers and customers running in Oracle Cloud can use Java Management Service to update Java Runtimes and to do further security reviews like identifying potentially vulnerable third party libraries used by your Java programs. Existing Java Management Service user click here to log in to your dashboard. The Java Management Service Documentation provides a list of features available to everyone and those available only to customers. Learn more about using Java Management Service to monitor and secure your Java Installations.
For systems unable to reach the Oracle Servers, a secondary mechanism expires this JRE (version 8u431) on 2025-02-21. After either condition is met (new release becoming available or expiration date reached), the JRE will provide additional warnings and reminders to users to update to the newer version. For more information, see 23.1.2 JRE Expiration Date in the Java Platform, Standard Edition Deployment Guide.
Notable Issues Resolved
Fixed the issue with entries in the "java" and "javac" groups not being properly managed during an RPM upgrade.
Upgrading from an older Java RPM installed into a shared directory (/usr/lib/jvm/jdk-${FEATURE}-oracle-${ARCH}) to a Java RPM installing into a version-specific directory (/usr/lib/jvm/jdk-${VERSION}-oracle-${ARCH}), results in the older Java entries in the "java" and "javac" groups not being deleted.
The issue does not manifest until the new Java is uninstalled. When it is uninstalled and Java from the lower release is installed, running Java commands like java or keytool without the full path specified will result in the "command not found" error. For example, install 21.0.3; upgrade it to 21.0.4; uninstall 21.0.4; install any Java update of 17 or 11 or 8 release; run "java" from the command line. The command will fail with the "command not found" error.
Manually delete orphan Java entries in the "java" and "javac" groups to workaround the issue.
Other Notes
New, default limits have been added to HTTP in the JDK.
The JDK built-in implementation of the URL protocol handler for HTTP (HttpURLConnection) now has a default limit on the maximum response headers size that will be accepted from a remote party. The limit is set by default at 384kB (393216 bytes) and is computed as the cumulative size of all header names and header values plus an overhead of 32 bytes per header name value pair.
The default value of the limit can be changed by specifying a positive value with the jdk.http.maxHeaderSize system property on the command line, or in the conf/net.properties file. A negative or zero value is interpreted as no limit. If the limit is exceeded, the request will fail with a protocol exception.
The JDK built-in implementation of the com.sun.net.httpserver.HttpServer implements a similar limit for the maximum request header size the server is prepared to accept. The HttpServer limit can be changed by specifying a positive value with the sun.net.httpserver.maxReqHeaderSize system property on the command line. A negative or zero value is interpreted as no limit. The limit is set by default at 384kB (393216 bytes) and the size is computed in the same way as explained above. If the limit is exceeded, the connection is closed.
The following root certificates have been added to the cacerts truststore:
+ SSL.com
+ ssltlsrootecc2022
DN: CN=SSL.com TLS ECC Root CA 2022, O=SSL Corporation, C=US
+ SSL.com
+ ssltlsrootrsa2022
DN: CN=SSL.com TLS RSA Root CA 2022, O=SSL Corporation, C=US
The TLS_ECDH cipher suites have been disabled by default, by adding "ECDH" to the jdk.tls.disabledAlgorithms security property in the java.security configuration file. The TLS_ECDH cipher suites do not preserve forward-secrecy and are rarely used in practice. Note that some TLS_ECDH cipher suites were already disabled because they use algorithms that are disabled, such as 3DES and RC4. This action disables the rest. Any attempts to use cipher suites starting with "TLS_ECDH_" will fail with an SSLHandshakeException. Users can, at their own risk, re-enable these cipher suites by removing "ECDH" from the jdk.tls.disabledAlgorithms security property.
Please note that this change has no effect on the TLS_ECDHE cipher suites, which are still enabled by default.
The JDK will stop trusting TLS server certificates issued after November 11, 2024 and anchored by Entrust root certificates, in line with similar plans recently announced by Google and Mozilla. The list of affected certificates includes certificates branded as AffirmTrust, which are managed by Entrust.
TLS server certificates issued on or before November 11, 2024 will continue to be trusted until they expire. Certificates issued after that date, and anchored by any of the Certificate Authorities in the table below, will be rejected.
The restrictions will be enforced in the JDK implementation (the SunJSSE Provider) of the Java Secure Socket Extension (JSSE) API. A TLS session will not be negotiated if the server's certificate chain is anchored by any of the Certificate Authorities in the table below and the certificate has been issued after November 11, 2024.
An application will receive an Exception with a message indicating the trust anchor is not trusted, for example:
TLS server certificate issued after 2024-11-11 and anchored by a distrusted legacy Entrust root CA: CN=Entrust.net Certification Authority (2048),
OU=(c) 1999 Entrust.net Limited, OU=www.entrust.net/CPS_2048 incorp. by ref. (limits liab.), O=Entrust.net
If necessary, and at your own risk, you can work around the restrictions by removing "ENTRUST_TLS" from the jdk.security.caDistrustPolicies security property in the java.security configuration file.
The restrictions are imposed on the following Entrust Root certificates included in the JDK:
| Distinguished Name | SHA-256 Fingerprint |
|---|---|
| CN=Entrust Root Certification Authority, OU=(c) 2006 Entrust, Inc., OU=www.entrust.net/CPS is incorporated by reference, O=Entrust, Inc., C=US |
73:C1:76:43:4F:1B:C6:D5:AD:F4:5B:0E:76:E7:27:28:7C:8D:E5:76:16:C1:E6:E6:14:1A:2B:2C:BC:7D:8E:4C |
| CN=Entrust Root Certification Authority - EC1, OU=(c) 2012 Entrust, Inc. - for authorized use only, OU=See www.entrust.net/legal-terms, O=Entrust, Inc., C=US |
02:ED:0E:B2:8C:14:DA:45:16:5C:56:67:91:70:0D:64:51:D7:FB:56:F0:B2:AB:1D:3B:8E:B0:70:E5:6E:DF:F5 |
| CN=Entrust Root Certification Authority - G2, OU=(c) 2009 Entrust, Inc. - for authorized use only, OU=See www.entrust.net/legal-terms, O=Entrust, Inc., C=US |
43:DF:57:74:B0:3E:7F:EF:5F:E4:0D:93:1A:7B:ED:F1:BB:2E:6B:42:73:8C:4E:6D:38:41:10:3D:3A:A7:F3:39 |
| CN=Entrust Root Certification Authority - G4, OU=(c) 2015 Entrust, Inc. - for authorized use only, OU=See www.entrust.net/legal-terms, O=Entrust, Inc., C=US |
DB:35:17:D1:F6:73:2A:2D:5A:B9:7C:53:3E:C7:07:79:EE:32:70:A6:2F:B4:AC:42:38:37:24:60:E6:F0:1E:88 |
| CN=Entrust.net Certification Authority (2048), OU=(c) 1999 Entrust.net Limited, OU=www.entrust.net/CPS_2048 incorp. by ref. (limits liab.), O=Entrust.net |
6D:C4:71:72:E0:1C:BC:B0:BF:62:58:0D:89:5F:E2:B8:AC:9A:D4:F8:73:80:1E:0C:10:B9:C8:37:D2:1E:B1:77 |
| CN=AffirmTrust Commercial, O=AffirmTrust, C=US |
03:76:AB:1D:54:C5:F9:80:3C:E4:B2:E2:01:A0:EE:7E:EF:7B:57:B6:36:E8:A9:3C:9B:8D:48:60:C9:6F:5F:A7 |
| CN=AffirmTrust Networking, O=AffirmTrust, C=US |
0A:81:EC:5A:92:97:77:F1:45:90:4A:F3:8D:5D:50:9F:66:B5:E2:C5:8F:CD:B5:31:05:8B:0E:17:F3:F0B4:1B |
| CN=AffirmTrust Premium, O=AffirmTrust, C=US |
70:A7:3F:7F:37:6B:60:07:42:48:90:45:34:B1:14:82:D5:BF:0E:69:8E:CC:49:8D:F5:25:77:EB:F2:E9:3B:9A |
| CN=AffirmTrust Premium ECC, O=AffirmTrust, C=US |
BD:71:FD:F6:DA:97:E4:CF:62:D1:64:7A:DD:25:81:B0:7D:79:AD:F8:39:7E:B4:EC:BA:9C:5E:84:88:82:14:23 |
You can also use the keytool utility from the JDK to print out details of the certificate chain, as follows:
keytool -v -list -alias <your_server_alias> -keystore <your_keystore_filename>
If any of the certificates in the chain are issued by one of the root CAs in the table above are listed in the output you will need to update the certificate or contact the organization that manages the server.
This JDK release relaxes the specification of java.awt.Robot to account for possible platform and desktop environment access restrictions or limitations.
This JDK implements Maintenance Release 6 of the Java SE 8 specification JSR 337. This is indicated by the system property java.specification.maintenance.version having the value of "6".
In the JDK, java.text.MessageFormat now has an implementation limit for the ArgumentIndex pattern element. The hard limit for the value is 10,000.
If an ArgumentIndex value is equal to or exceeds the upper limit, an IllegalArgumentException will now be thrown by
MessageFormatsconstructorsapplyPattern(String pattern)instance methodformat(String pattern, Object... arguments)static method
De-serializing a MessageFormat object with an ArgumentIndex value at or over the limit will throw an InvalidObjectException.
There are some scenarios where upgrading from a JRE version 8u361 or below to a newer JRE version of Java 8 may break some of the Windows registry keys for the Java Runtime Environment. The Java Uninstall Tool will repair such situations, regardless if a JRE is selected for uninstall or not.
Updates to Third Party Libraries
| Library | New Version | Module | JBS |
|---|---|---|---|
| GIFlib | 5.2.2 | JDK-8328999 | |
| Libpng | 1.6.43 | JDK-8329004 | |
| Libxml2 | 2.12.17 | JDK-8332539 | |
| WebKit | 619.1 | JDK-8328994 |
Bug Fixes
This release also contains fixes for security vulnerabilities described in the Oracle Critical Patch Update.
The following table lists the bug fixes included in the JDK 8u431 release:
| # | BugId | Component | Summary |
|---|---|---|---|
| 1 | JDK-8325179 | client-libs/javax.swing | Race in BasicDirectoryModel.validateFileCache |
| 2 | JDK-8328953 | client-libs/javax.swing | JEditorPane.read throws ChangedCharSetException |
| 3 | JDK-8330415 | core-libs/java.lang | Update system property for Java SE specification maintenance version |
| 4 | JDK-8267938 | core-libs/java.net | (sctp) SCTP channel factory methods should check platform support |
| 5 | JDK-8299058 | core-libs/java.net | AssertionError in sun.net.httpserver.ServerImpl when connection is idle |
| 6 | JDK-8332424 | core-libs/java.util:i18n | Update IANA Language Subtag Registry to Version 2024-05-16 |
| 7 | JDK-8334418 | core-libs/java.util:i18n | Update IANA Language Subtag Registry to Version 2024-06-14 |
| 8 | JDK-8334653 | core-libs/java.util:i18n | ISO 4217 Amendment 177 Update |
| 9 | JDK-8337230 | docs/guides | Update JSSE security and system properties in Customizing JSSE |
| 10 | JDK-8202948 | hotspot/compiler | C2: assert(init_offset >= 0) failed: positive offset from object start |
| 11 | JDK-8330462 | javafx/accessibility | StringIndexOutOfBoundException when typing anything into TextField |
| 12 | JDK-8331881 | javafx/web | WebView: Update Public Suffix List to 1cbd6e7 |
| 13 | JDK-8329011 | javafx/web | Update SQLite to 3.45.3 |
| 14 | JDK-8338306 | javafx/web | WebView Drag and Drop fails with WebKit 619.1 |
| 15 | JDK-8338307 | javafx/web | Additional WebKit 619.1 fixes from WebKitGTK 2.44.3 |
| 16 | JDK-8331765 | javafx/web | Websocket callbacks are not executed after WebKit 617.1 update |
| 17 | JDK-8261433 | security-libs/javax.crypto:pkcs11 | Better pkcs11 performance for libpkcs11:C_EncryptInit/libpkcs11:C_DecryptInit |
| 18 | JDK-8219991 | security-libs/javax.net.ssl | New fix of the deadlock in sun.security.ssl.SSLSocketImpl |
| 19 | JDK-8341059 | security-libs/javax.net.ssl | Change Entrust TLS distrust date to November 12, 2024 |